by: Teresa Lin, Associate Editor, MTTLR
Editor: This post is part of a short MTTLR Blog series on the Computer Fraud and Abuse Act – Part one (this post) argues that the CFAA should not be expanded to address the problem of online bullying. Part two looks to the Sarah Palin email hacking case to call for a review and possible expansion of the CFAA’s provisions.
Bullies. They’re an unattractive staple of childhood. Most of us have either been one, encountered one, or observed one in action. But, alas, gone are the good old days of schoolyard bullies, where our homes were still places of refuge from schoolyard threats and teases. A new era of bullying has arrived – cyberbullying.
If you’re reading this blog, then you might have already heard of the MySpace suicide case often used in awareness campaigns against cyberbullying. For those that haven’t, here’s a quick recap:
In November of 2007, Lori Drew was accused of helping her minor daughter create a fake MySpace account to lure, ridicule, and taunt her daughter’s ex-friend and neighbor, Megan Meier. Megan, at age 13, committed suicide as a result of the online bullying. While Missouri prosecutors were unable to find anything in the books to charge Lori Drew for criminal wrongdoing relating to Megan’s death, federal prosecutors in Los Angeles did not. This May, Drew was indicted by a grand jury in Los Angeles for conspiracy to commit a federal crime under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. While the trial was scheduled to begin on October 7th, it has not proceeded, and Drew’s defense attorney believes that the trial might be pushed further into December.
For a more thorough account of the story, see this New Yorker article, or follow the case on the Wall Street Journal Law Blog.
The question now is whether District Court Judge Wu should dismiss Drew’s indictments under the CFAA. And if so, what then for the morally reprehensible behavior of Lori Drew, an adult who instigated and heightened a game of child’s play that lead to a young girl’s suicide?
Let’s begin by examining the textual problems with charging Drew under § 1030(a)(2)(c). This subsection of the statute makes it a federal crime for anyone to intentionally access a computer without, or in excess of, authorization to obtain information from a protected computer, if the conduct involved an interstate or foreign communication. The Congressional intent of this statute was not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer or the internet. Rather, subsection 1030(a)(2)(C) was amended in 1996 with the intent to use the CFAA to “protect against the interstate or foreign theft of information by computer.” The purpose of this subsection is clear: CFAA is meant to punish those who ‘steal’ information (whether tangible or intangible) through computers. What interstate theft was involved in the MySpace suicide? Even if we’re wildly assuming that juicy teen gossip can be considered an intangible good that the Drews ‘stole’ from Megan, where is the interstate connection? All the parties involved in this case resided in Missouri during the entire episode. The only interstate medium remotely applicable is MySpace. MySpace and its servers are in Beverly Hills, California, a subsidiary of Fox Interactive Media. But the communications exchanged were still between people within Missouri.
Furthermore, the statute has been historically applied to mostly internet hacking cases; if the prosecution is allowed to continue under CFAA, it’s a daunting expansion of the federal government’s jurisdiction into unchartered and unintended territories. When Drew and her daughter registered the MySpace account under a fake identity, Drew agreed to the website’s terms of service (TOS). (MySpace updated their TOS in February 2008; this linked version may be different from the one Drew and her daughter agreed to in 2007). The TOS required Drew to register the account based on truthful and accurate information, to refrain from promoting false or misleading information, and to refrain from using MySpace to harass, abuse, or harm other people. The prosecution claimed that Drew and her daughter conspired to violate MySpace’s TOS when they set up their hoax account based on a fraudulent identify to use it for tortious actions against Megan Meier. Thus, according to the indictment, they violated provisions of the CFAA by intentionally accessing a computer without and in excess of authorization to obtain information from Megan over the internet.
Lawmakers and lawyers alike may feel their hair rise to hear the CFAA applied so broadly. What would it mean for users for the federal government to be able to broadly apply the CFAA to all users who register accounts under false information? For security purposes, I purposely register all my accounts under different date of births so that my personal information is not readily available on the web. Of course, the government won’t prosecute everyone that commits fraudulent registrations, right? But if not, how does the government decide who should be prosecuted, and will they be allowed to exercise such discriminatory selection? Allowing the prosecution to continue under the CFAA statute clearly raises issues related to social networking generally. It might not hurt to start reviewing some of the TOS you may have agreed to already, such as for Facebook, Twitter, Habbo, Friendster, or Orkut.
Justice Oliver Wendell Holmes said it best in his dissent in Northern Securities Co. v. United States: hard cases make bad law. What happened to Megan was a hard case – a life prematurely thrown away due to an immature prank by an adult. This awful tragedy draws on our innate social emotions to want to connect a law that can severely punish Lori Drew for her actions. But, as loud as society is screaming for justice, expanding the CFAA to such an extent is clearly bad law.
For those unsatisfied with the conclusions drawn above, here’s a tidbit to console if Drew avoids legal prosecution. While the court battles the legal dilemma of how to prosecute Lori Drew, if at all, the blogging community has been alive with their own sort of virtual vigilante justice. In mid November of 2007, when the story exploded over national television, video clips from CNN and Fox News, and even the original Suburban Journals article that first ran the story, all refrained from revealing the identify of Lori Drew to the public out of concern for her minor daughter. Repulsed by Drew’s action, the internet community was not so kind. By November 17, 2007, bloggers broadcast and posted Lori Drew’s name, police report, personal address, business information, phone number, and her husband’s employment information. Drew, who owned an advertising business, was rumored to have closed down her business and relocated due to her notoriety. Drew is sure to be haunted by her actions for a very long time. But is this form of virtual vigilante justice satisfying? Is it commendable or condemnable? The lines between the vigilante response and the original abuses grow increasingly unclear.
Though virtual vigilantism is a debatable sort of justice, the community at large has been taking a more definite form of justice – legislation. Numbers of states have either proposed or already enacted legislation that prohibits cyberbullying. See examples from New York, California, Illinois, and Missouri. Congress has also gotten involved, drafting a bill to make cyberbullying a federal crime, also known as the Megan Meier Cyberbullying Prevention Act.